The OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia.

In deployments using OIDC authentication, an attacker possessing a valid JWT token issued by the same identity provider but intended for a different service (different client id/aud) can authenticate to Oxia. This bypasses the intended audience isolation of OAuth2/OIDC.

All versions using OIDC authentication are affected.

In oxiad/common/rpc/auth/oidc.go, both createStaticKeyVerifier() and createRemoteVerifier() set SkipClientIDCheck: true. While a custom audience check exists in Authenticate(), the library-level check — which validates the aud claim against the expected client id — is completely bypassed.

Fixed by removing SkipClientIDCheck: true and setting the ClientID field from the configured AllowedAudiences.

Ensure network-level isolation so that only trusted services can reach the Oxia gRPC endpoints.